Here is an update about shipping certificates with Tor Messenger:
We are now shipping the SPI (spi-inc.org) root cert for OFTC. Since this root certificate is also bundled with Debian, we are not worried about this. (We are being transparent in the build system that we are bundling this cert and will be more so in the documentation and public announcement.)
why is that one not in Mozilla's trust store? Do they have documentation on how their internal processes wrt to issuing certificates work? Do they have audits of that process?
I can't find any indication API ever wanted to be included in Mozilla's trust store, but I could be wrong. If http://www.spi-inc.org/ca/ is all the documentation they have (no issuance policy documents, no audits, no nothing) they're not going to make it it in.
Coming to the jabber.ccc.de, it is signed by CAcert. Which brings me to the question -- should we be bundling the CAcert root certificate? I base this question on the fact that it is not shipped with Debian (or Ubuntu) or Mozilla, and there seems to be a lot of discussion (one example: http://lwn.net/Articles/590879/) about this topic. Should we ship this with Tor Messenger then?
Messing with CAs is always a tricky business. And, personally, I am not a strong fan of adding root certificates of organizations that can't make sure their processes can handle issuing certificates properly, quite the contrary. (Btw. I am not claiming that all the other CAs *can* make that sure; that's a separate discussion though)
Instead of adding additional root certificates I'd explore ways of getting the necessary certificates installed in the user-friendliest way possible when the user is *actually needing* them. (There is no need to expose all those users that are neither using OFTC nor jabber.ccc.de to the additional risk that comes with shipping these root CAs when using Tor Messenger)
I'm opposed to adding root CA certificates (CACert, SPI) until such a time Tor Browser/Messenger is ready to maintain its own root store. I don't think doing that is a bad idea though, and would be interested in thinking through what it would take as a pie-in-the-sky type discussion.
But I'm also strongly opposed to requiring users to click through self-signed or invalid root certificate warnings for extremely popular services. So I think services like jabber.ccc.de and OFTC should have their leaf certs included and trusted by default after confirming their validity.
-tom